Home/ Questions/Q 464763
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T23:18:30+00:00

When a user registers at our site we check the address with an address

  • 0

When a user registers at our site we check the address with an address validation service. This service can return an address suggestion if the entered address is found but has some errors. This sugggestion is returned to the user.

The user can accept the suggestion and is trusted. If he changes the address he is not trusted.

Is there a good way to check if the data displayed to the user is the same as the data he posts? I guess I need a hidden field with the hash of the addressdata. But I am not shure which algorithm I should take. The algorithm should be case insensitive if possible.

The algorithm should create a tamper-proof oneway hash.

EDIT:

This worked pretty well so far. I still have to test with umlaute (ä,ü ).

                StringBuilder addressData = new StringBuilder();
            addressData.Append(FirstName);
            addressData.Append(LastName);
            addressData.Append(StreetNumber);
            addressData.Append(StreetName);               
            addressData.Append(City);
            addressData.Append(CountryISO);
            addressData.Append(Zip);
            string stringVal = addressData.ToString().ToLower();

            System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();
            byte[] keyByte = encoding.GetBytes(ApplicationConfiguration.ShaKey);
            byte[] messageBytes = encoding.GetBytes(stringVal);

            HMACSHA256 hmacsha256 = new HMACSHA256(keyByte);
            byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
            string hash = ByteToString(hashmessage);

            return hash
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use an HMAC (Hash-based Message Authentication Code) — HMACs were invented for precisely this purpose; to authenticate data with a symmetric key. I am not familiar with .NET myself, but the standard library seems to provide many such classes inheriting from System.Security.Cryptography.HMAC. HMAC is better than a plain hash because it is not vulnerable to hash length extension attacks.

    HMACSHA256 looks like a good candidate.

    You should also consider adding a unique value (a nonce) to the string if you want to prevent prevent replay attacks — otherwise a user can re-send an earlier email with the accompanying earlier HMAC signature.

    The HMAC key must be a server-side secret.

    • 0